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Abstract. We provide a denotational semantics for first-order logic that 
captures the two-level view of the computation process typical for con- 
straint programming. At one level we have the usual program execution. 
At the other level an automatic maintenance of the constraint store takes 
place. 

We prove that the resulting semantics is sound with respect to the truth 
definition. By instantiating it by specific forms of constraint manage- 
ment policies we obtain several sound evaluation policies of first-order 
formulas. This semantics can also be used a basis for sound implemen- 
tation of constraint maintenance in presence of block declarations and 
conditionals. 



1 Introduction 

By the celebrated result of Turing first-order logic is undecidable. In particular, 
the question of determining for an interpretation whether a first-order formula 
is satisfiable and finding a satisfying substitution if it is, is undecidable. Still, for 
many formulas this question can be answered in a straightforward way. Take for 
instance the following simple formula interpreted over the standard interpreta- 
tion for arithmetics: 

y<zAy=lAz = 2 (1) 

It is easy to see that it is satisfied by the substitution {y/l,z/2}. Similarly, it 
is easy to see that the formula 

n(l = l)Al = (2) 

is satisfied by the substitution {x/0}. 

The question is whether we can capture this concept of "straightforwardness" in 
a natural way. Our first attempt to answer this question was given in Apt and 
Bezem j| by providing a natural operational semantics for first-order logic which 
is independent of the underlying interpretation for it. It captures the computa- 
tion process as a search for a satisfying substitution for the formula in question. 
Because the problem of finding such a substitution is in general undecidable, we 
introduced in it the possibility of a partial answers in the form of a special error 
state indicating a run-time error. In Apt M we slightly extend this approach by 



explaining how more general equalities can be handled and formulate it in the 
form of a denotational semantics for first-order logic. Unfortunately, both se- 
mantics are too weak to deal properly with formulas (|l|) and (Q): for both of 
them the error state is generated. 

In this paper we try to overcome these limitations by providing a computational 
interpretation of first-order logic in the spirit of constraint programming. Ac- 
cording to this view the computation process takes place on two levels. At one 
level we have the usual program execution. At the other level, in the "back- 
ground" inaccessible to the user, an automatic maintenance of the constraint 
store takes place. The problem we tackle is undecidable, so we introduce the 
possibility of partial answers. They are modeled now by a non-empty constraint 
store or the error state. 

The automatic maintenance of the constraint store is modeled by a parametric 
infer operation that acts on states. The idea of an abstract infer operation is due 
to Jaffar and Maher Here we consider it in presence of arbitrary first-order 
formulas. Because of this generality we can obtain various sound realizations 
of the constraint store management by appropriately instantiating infer. The 
correctness of this approach is formalized in the form of an appropriate soundness 
result. To establish it we need to assume some properties of the infer operation. 
They are formulated as five "healthiness" conditions. 

To illustrate the benefits of this view of first-order logic and to show the scope 
of the soundness result, we discuss several ways of instantiating the infer pa- 
rameter to specific constraint management policies. Examples include admission 
of a constraint store consisting of arbitrary first-order formulas, restriction to a 
constraint store consisting only of atomic constraints, and restriction to a con- 
straint store consisting only of arbitrary first-order positive formulas. We can 
also discuss in this framework in a uniform way unification, an algorithm for 
solving equations and disequations over the Herbrand algebra, and Gaussian 
elimination in presence of arithmetic constraints. 

On the more practical side, these considerations lead to specific implementation 
proposals of the constraint store in presence of block declarations and condi- 
tionals, here modeled, respectively, by means of existential quantification and of 
negation, conjunction and disjunction. 

To clarify these issues we return to formula (|l|) . If we do not admit a constraint 
store, as in the semantics of |3| and 0], its evaluation yields the error state, 
since we cannot evaluate y < z without knowing the values for y and z. But if 
we do allow atomic constraints in the store, we can postpone the evaluation of 
y < z and the evaluation yields the substitution {y/1, z/2}. 

Next, let us reconsider formula (||). If only atomic formulas are allowed as con- 
straints, the evaluation of this formula yields the error state, since we can nei- 
ther evaluate -i(x = 1) nor add this formula to the constraint store. If, however, 
negated formulas are allowed in the constraint store the substitution {x/0} is an 
answer. The soundness theorem states that each computed substitution satisfies 
the evaluated formula. 
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The question of providing an appropriate semantics for first-order logic in the 
spirit of constraint programming could be approached by taking for a formula 
4>{x) a clause p(x) <— 4>(x), where p is a new relational symbol and by applying 
to it a transformation in the style of Lloyd and Topor . The outcome would 
be a constraint logic program that uses negation. After clarifying how to deal 
properly with negation this could yield a rather indirect answer to the question 
we study. In contrast, our approach, expressed in the form of a denotational 
semantics, is much more direct and conceptually transparent: the meaning of 
each formula is expressed directly in terms of the meaning of its constituents 
and it is parametrized in a simple way by the infer operation. 
The rest of the paper is organized as follows. In Section |^ we introduce the infer 
operation and discuss in detail the requirements we impose on it. The main 
difficulty has to do with the appropriate treatment of existential variables. In 
Section^ we define our denotational semantics. Next, in Section [|we show that 
the proposed semantics subsumes the denotational semantics provided in 
Then in Section [5] we discuss various increasingly powerful forms of constraint 
store management, each modeled by means of a particular infer operation. Fi- 
nally, in Section a we discuss related work. 



2 Towards the denotational semantics 

Below we work our way towards our proposal for the denotational semantics in 
several steps, first introducing the basic semantic ingredients, then discussing the 
crucial conditions on the infer parameter and finally presenting the denotational 
semantics for first order logic with infer parameter. In the next section we will 
then state the soundness result for the semantics. The proof details are referred 
to the appendix. We discuss several ways of instantiating the infer parameter to 
show the scope of the soundness result. In the final section we review the goals 
and results and look ahead to further developments. 

Preliminaries Let's assume that an algebra J is given over which we want 
to perform computations. The basic ingredient of the semantic universe will be 
the set of states, states. States come in two kinds. First we have an error 
state, which remains unanalyzed. All other states consist of two components: 
one component is a constraint store C, the other a substitution 9. Such a state 
is then written (C; 9). As always, a substitution 9 is a mapping from variables to 
terms. It assigns a term x9 to each variable x, but there are only finitely many 
variables for which x ^ x9. These variables form dom(9), the domain of 9. The 
application of a substitution 9 to a term t, written t9, is defined as usual. We 
denote the empty substitution by e. 

A constraint store C, is simply a finite set of formulas of first order logic. In many 
applications there are extra requirements on the syntactic form of a constraint 
store, but for now we keep things as general as possible. _L is a special formula 
which is always false. 
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Throughout the paper we try to limit the number of brackets and braces as 
much as possible. In particular, for a finite set {A\, . . . , A n } we will often write 
A\, . . . , A n . Also, we write infer(C; 6) instead of infer((C; 6)), etc. 

The treatment of local variables: dropping things An important ingre- 
dient of the set up is the DROP u mapping on states. It is the way we deal 
with local variables. This works in two steps: first we define the substitution 
DROP U {0) for each variable u and substitution 6, as in |2): 

uDR0P u {6) = u 

xDR0P u (9) = x9 for all other variables x 

So, DROP u makes the current value of u disappear, thus capturing the idea of 
a local variable to the substitutions. But we also have another component in 
states: the constraint store. Dropping u from such a set of formulas compares 
to existential quantification over u. There is one little extra point to take care 
of, however: in a state (C;r/) the information that r\ provides about the value of 
u is implicitly available to C. Therefore, we perform the quantification 3u only 
after adding the information about the value of u explicitly to C. Also the values 
yr\ in which u appears have to be kept in mind. We take the conjunction of the 
equations y = yr/ for all such variables y and write it as y = yr/. This leads us 
to the following formula that takes care of the local variables in C. 

3u (u = ur) A y = yr) A f\ C) 

Note that this formula depends both on u and r/. So, we cannot define a drop u - 
mapping on constraint stores alone: we have to know r/ as well. 
This formula expresses the information we are after in a uniform way, but in 
'borderline cases' the syntactic format is awkward. For example, if C = 0, we 
get a trivial existential quantification over the first two conjuncts. This exis- 
tential quantifier is semantically harmless, but specific constraint propagation 
formalisms simply do not work on existentially quantified formulas. Therefore 
we rather adopt a format in which the quantifier only appears if it is really 
necessary. 

This is done in two steps: first, the quantification over u only matters for the 
formulas in C in which u actually occurs. We make this explicit in the definition 
by distinguishing C(u), the subset of C that contains exactly the formulas with 
the free variable u. In the formula we use for the drop u -mapping we can then 
always take C — C(u) outside the scope of the quantifier. This gives: 

C — C(u) , 3u (u = ur/ A y = yr/ A /\ C(u)) 

Finally, in the special case C(u) = 0, we leave out the existentially quantified 
formula altogether. 

For the ERROR-state we simply set: DROP„error = error. To summarize, the 
mapping drop u is defined on states by the following cases: 
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DROP tt (C;?7> 


= (C; DROP u (ri)) if C(«) = 


drop„(C;?7) 


= ( 3u (u = ur\ A y = yrj A f\C( u )), 




C-C(u); DROP u (rj)) if C(u) ^ 


DROP u ERROR 


= ERROR 



Conditions on infer Another important ingredient of the framework is the 
infer mapping, infer maps a state to a set of states. The infer mapping is the 
basic notion of computation in the semantics: we do not specify what happens 
'within' the infer mapping. This makes the set up extremely general: the infer 
steps can consist of calls to a constraint solver, like a unification algorithm or an 
algorithm for solving linear equations over reals, calls to a constraint propagation 
algorithm, or other atomic computation steps. Several instances of the infer 
mapping will be discussed in more detail later on. 

We can almost get away with complete generality regarding infer. To make sure 
that the formalism respects first order logic, we have to make a few modest 
requirements. Let us write (C; 9) \=j <p f° r C9 \=j (f>6. In particular (0; 9) \=j <p 
iff \=j <f>9. Then the restrictions that we need in the soundness proof below, read 
as follows: 

(1) Equivalence: if (C';8'} G infer(C;6), then (C;6) \=j <f> iff (C; 9') \=j cf> 

(2) Renaming: if (C';6') G infer(C;0), then also (C' v ;6' v ) G mfer{C;8), 
where (C' v ;9' v ) is obtained from (C; 9') by replacing all occurrences of u by v 
for a variable u that is fresh w.r.t. (C; 9) and a variable v that is fresh w.r.t. 
both (C;8) and (C';9') 

(3) Inconsistency: if infer(C;8) = 0, then (C;6) \=j _L 

(4) Error: infer error = {error} 

(5) Identity: m/er(0;6») = {(0;6>)} 

So, the infer mapping should respect logical equivalence, i.e., the state {C';9'} 
that we reach starting from (C;6), should still make the same formulas true. 
Furthermore, the infer mapping should not be sensitive to the choice of fresh 
variables: if infer works for u, it should also work for an alternative fresh vari- 
able v. Finally, infer should respect falsity and the error state.Q When we talk 
about the consistency of states, we are dealing with a three way distinction. We 
say that a state a is: j7-consistent, if a ^ error and a _L; J- inconsistent, 
if a ^ error and a \= j _L; error, if a = ERROR. For a set of states S C states 
we then distinguish: consj(S) = {a £ U : a is ^/-consistent} and conSj(E) 
= {a G S : a is not ./-inconsistent}. Usually it is clear to which J we refer 
and we omit J from the notation. 



1 The Identity requirement is not necessary for the proof of the soundness theorem, 
but it seems too natural to leave it out. Renaming is used only in the proof of the 
Preservation/Persistence Lemma in the case of the existential formula. 
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3 Denotational semantics 



We now define a denotational semantics for first order logic in which the infer 
mapping is a parameter. The parameter can be set to give the semantics from 
Apt for example, but many other settings are available, as we will see below. 
This way we obtain general results, that apply uniformly to various forms of 
constraint store management. 

We define the mapping [</>] : states — > states, using postfix notation.^ 



(C',0)[A] 

(C;0)[0iVfc] 

(C;0)[0iA&] 

(C; 0)l3xct>} 

ERRORS! 



= infer{C, A; 9) for an atomic formula A 

= <C;Wi] U (C; 0)142] 
= «C;0>M)M 

[ infer{C;0) if cons + ((C; 



> if (C';9'} e cons((C;0)l(j)]) for 

some (C';8') equivalent to (C;9 

infer{C, 0) otherwise 
J {infer DROP u (a)} where, for some fresh u, 
a ranges over cons + {(C; 9)\4>{x / u\\) 

= {error} for all </> 



The definition relies heavily on the notation that was introduced before. But 
it is still quite easy to see what goes on. The atomic formulas are handled by 
means of the infer mapping. Then, disjunction is interpreted as nondeterministic 
choice, and conjunction as sequential composition. For existential quantification 
we use the DROP u mapping (for a fresh variable u). The error clause says that 
there is no recovery from error. In the case for negation, three contingencies are 
present: first, the case where <f> is inconsistent. Then we continue with the input 
state (C; 9). Secondly the case where 4* is already true in (a state equivalent to) 
the input state. Then we conclude that -«f> yields inconsistence, i.e., we get 0. 
Finally, we add -Kp to the constraint store C if it is impossible at this point to 
reach a decision about the status of 

Next we show that the denotational semantics with the infer parameter is sound. 
This amounts to two things: 1. successful computations of <f> result in states in 
which (f) holds; 2. if no successful computation of </> exists, cf> is false in the initial 
state. 



Theorem 1 (Soundness). Let (C;9) and 4> be given. Then we have: 



1. If{C';0') £ {C-8)m then (C';9>) $ 

2. If cons+((C; 0)[<f>]) = , then (C;8) \=j -.0. 



2 We also sneak in the notation: E\4>\ for Uo-esi "!^]}- 
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The proof of the theorem is by a simultaneous induction on the structure of the 
formula <f>. In the proof we need a preservation/persistence result, that we give 
as a separate lemma. 

Lemma 1 (Preservation/Persistence). 

1. If(C;9) \=j <pi and (C';0') € (C;0)[0 2 ], then (C';9') (pi (validity) 

2. If CO and (<pi /\<j)2)9 are mutually consistent (in J) and 
(C>;6') £ cons({C; 9)1^1), 

then C'6' and (tpi A <\>-i)9' are mutually consistent (in J), (consistency) 

The lemma says that computations of [(/> 2 ] will not disturb the status of 
the computation preserves validity and consistency. The proof of the lemma is 
by a simultaneous induction on the structure of <f>2- Some proof details are given 
in the appendix. Here we continue by considering several instantiations of the 
general format. 



4 Modeling the denotational semantics of Apt [Q] 

We start our analysis by recalling the semantics provided in The idea of 
this semantics is to provide a uniform computational meaning for the first-order 
formulas independent of the underlying interpretation and without a constraint 
store. This yields a limited way of processing formulas in the sense that oc- 
casionally an error may arise. After we have reintroduced this semantics we 
shall discuss a number of its extensions, all involving a specific constraint store 
management. So, let us recall the relevant definitions. 

Definition 1. Assume a language of terms L and an algebra J for it. 

— Consider a term of L in which we replace some of the variables by the ele- 
ments of the domain D. We call the resulting object a generalized term. 

— Given a generalized term t we define its ^-evaluation as follows. Each ground 
term of s of L evaluates to a unique value in J . Given a generalized term 
t replace each maximal ground subterm of t by its value in J . We call the 
resulting generalized term a j7-term and denote it by ftjj. 

— By a ^-substitution we mean a finite mapping from variables to J -terms 
which assigns to each variable x in its domain a J -term different from x. 
We write it as {xi/h\, . . . ,x n /h n }. We define the notion of an application 
of a J -substitution 8 to a generalized term t in the standard way and denote 
it by te. 

— A composition of two ^7-substitutions 6 and n, written as On, is defined as 
the unique J -substitution 7 such that for each variable x 

X1 = \{x9)rj\j. 
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The ^/-substitutions generalize both the usual substitutions and the valuations, 
which assign domain values to variables. After these introductory definitions we 
recall the semantics [•] of an equation between two generalized terms (so a for- 
tiori, between two terms) . Here and elsewhere we do not indicate the dependency 
of the semantics on the underlying interpretation or algebra. 

if sO is a variable that does not occur in tO, 
if tO is a variable that does not occur in sO 
and sO is not a variable, 
if {sOJj and \tO~\j are identical, 
if sO and t9 are ground and \s6~\j ^ \t&\ j, 
otherwise. 

Consider now an interpretation X based on an algebra J . Given an atomic 
formula p(t\, . . .,t n ) different from s = t and a ^-substitution we denote by 
pi the interpretation of p in X. We say that 

- p(ti, ■ ■ .,t n )9 is true if p(ti, ■ ■ -,t n )9 is ground and ■ ■ ■, Pn^Jj) € pi, 

- p(ti, ■ ■ .,t n )0 is false ifp(*i, . . .,t n )6 is ground and ([tifljj-, • . ., \t n 0\j) ^px. 

To deal with the existential quantification we use the DROP x operation defined 
in Section ^, extended in the standard way to the subsets of Subs U {error}. 
Now [•] is defined by structural induction as follows. A is here an atomic formula 
different from s = t. 

( {6} if AO is true, 

- \A\{0) := I if A6 is false, 

[ {error} otherwise, that is if AO is not ground, 

- [0x A <hW) := W(W(«)), 

- [0i V0 2 ](0) := W(9)UM(fl), 

({0} if[0](0) = 0, 

-W>](0)~{9 ifOe&W), 

[ {error} otherwise, 

- pa; 4>j(9) := DROP u {\(t>{x/u}]{e)), where u is a fresh variable. 

The following example clarifies the way we interpret atoms and conjunction. 

Example 1. Assume the standard algebra for the language of arithmetic with 
the set of integers as domain. We denote its elements by . . ., —2, —1, 0, 1,2,.. .. 
Each constant i evaluates to the element i. We then have 

1. [y = z - 1 A z = x + 2]{{x/l}) = [z = x + 2}({x/l, y/z - 1}) - 
{{x/l,y/2,z/3}}, 

2. [y = 1 A z = 1 A y - 1 = z - l](e) = {{y/1, z/1}}, 

3. [y = 1 A z = 2 A y < zj(e) = {{y/1, z/2}}, 

4. [x = OA^(x = l)j(e) = {{x/0}}, 

5. [y — 1 = z — I A y = 1 A z = lj(e) = {error}, 



[s = t](6) := 



f {0{s6/{te\j}} 

{0{tO/lsO}j}} 

{6} 


{error} 
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6. \y < z A y = 1 A z = 2](e) = {error}, 

7. [-.(a; = 1) A a; = 0](e) = {error}. 

So in this semantics the conjunction is not commutative and consequently it is 
important in which order the formulas are processed. This semantics is a special 
case of the semantics provided in Section [5| It is obtained by using the following 
infer relation: 

- infer(A ; 9) := {(0 ; 77) : 77 G [v4](0)} for an atomic formula A, where we 
identify (0 ; error) with error, 

- infer(C ; 9) := {error} for all other states (C ; 9). 

The relevant 'embedding' theorem is the following one. 
Theorem 2 (Embedding). 

- rtelfiW) *#(0 ; 77) g (0 ; 

- error e [</3] (0) i/f error E (0 ; 77} [0] . 

5 Specific constraint store managements 

We now illustrate the generality of our approach by presenting various increas- 
ingly powerful forms of constraint store management. Each of them is obtained 
by a particular propagation step that works on special states and is executed 
whenever and as-long-as it can be applied, aux is our name for the maximal 
repetition of the step.^] So, aux is a procedure on special states that is the least 
fixed point of aux = stepo aux. Then we can define the infer mapping as follows: 
infer error = {error} 
mfer{(l>;9} = {(0;0)} 

infer(C; 9) — aux (C; 9) for a special state (C; 9) 
infer(C; 9) = {error} otherwise 

Now the examples are obtained by a specification of the special states and the 
step procedure. In each case it is then straightforward to check that the adopted 
definition of infer satisfies the conditions we put on it in Section ||. Consequently, 
in each case the Soundness Theorem holds. Informally, in each case we provide 
a sound constraint store management. 

Equations as active constraints Below, following Jaffar and Maher ||, we 
make a distinction between active and passive constraints. In our framework 
active constraints are the ones that are capable of changing the values of the 
variables, while the passive ones boil down to formulas that become tests after 
an appropriate instantiation. 

3 Note that maximal repetition of one step is just one strategy for constraint man- 
agement. Already Jaffar and Maher [[| mention other options, distinguishing for 
example, quick- checking, progressive and ideal CPL systems. Of course, our set up 
can also accommodate such variations. 
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As an example how active constraints can be modeled using the presented se- 
mantics consider unification as a way of solving equality constraints. To model it 
we choose as the underlying algebra the Herbrand algebra, the universe of which 
consists of the set of all ground terms of the language L. 

The constraint stores of special states only contain equations. The equations are 
active, and each step consists of unification, whenever possible. So, we put: 



s<ep(0 ; 9) := 

step(C s = t ■ 9) ■= { ^ C ' if V iS an mgU ° f S ° and t9, 
' \ if s6 and t6 are not unifiable. 

Other specific forms of active constraints can be modeled in our framework in 
an equally straightforward way. 



Atoms as passive constraints The drawback of the semantics defined in 
the previous section is that it yields error when a wrong order of conjuncts is 
accidentally chosen. A possible remedy is to use atoms as passive constraints, 
i.e., to move the atoms that currently evaluate to error to the constraint store 
instead. 

For the handling of passive constraints we include a split procedure on special 
states to isolate the passive constraints: split(C;9) = (C p ,C a ;9), where C p is 
a list of the constraints that are passive when evaluated by 9 and C a is a list 
of the constraints that are active when evaluated by 9. When this is done, we 
perform a step on the active constraints. Next we re-group the constraints to 
reconsider the active-passive split in the new state. So, the step we perform in 
the auxiliary procedure is a composed action: aux — splitstep o splitstep and 
splitstep — split o s£ep.[|] 

In the current example we set the split procedure as indicated: we regard the 
atoms that would evaluate to error passive. Then the step works as follows: 

step(Cp]9) = {{C p ]9}} if no active constraints occur 

step(C p ,C a , s = t;9) = {(C p ,C a ; 9rf)} if r\ is an mgu of s9, t9 
step(C p ,C a , s = t;6) = if s9, t9 cannot be unified 

step(C p ,C a ,A;6) = {(C p ,C a \9)} if AO is true 
step{C p ,C a ,A;9) =0 if AS is false 

Then the splitstep :— split o step combines the two actions and aux repeats the 
splitstep until no more active constraints are left to remove. Reconsider now the 
formulas from items (||) and (^|) of Example [l| We now have 

(0; e){y-l = z-lAy = lAz = l} = 

(y-l = z-l- e)\y = l A z = 1] = {(0 ; {y/l,z/l})} 

and 



4 We ignore various implementation details regarding the particular choice of an active 
constraint and the distinction between lists and sets. 
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(0 ; e)\y < z A y = 1 A z = 2] = (y < z ; e)\y = 1 A z = 2] = 
{(0; {y/l,z/2})}. 



This shows the difference brought in by this infer procedure. However, in the 
case of the formula from item (|7|) , we still have 




Equations as active and passive constraints In general, equations can be 
both active and passive constraints. For example, linear equations over reals can 
be active and non-linear ones passive. To model computation in their presence 
we choose as the underlying algebra the standard algebra for the language of 
arithmetic with the set of real numbers as the domain. The special states are 
the ones that just have equations in the constraint store. Next, we use a split 
procedure that regards the linear equations as active and the non-linear ones 
as passive. Using standard arithmetic operations each linear equation can be 
rewritten into one of the following forms: 

• = 0, 

• r = 0, where r is a non-zero real, and 

• x = u, where x € Var and u a linear expression not containing x. 
This leads to the following definition of the propagation step: 



The last clause models in effect the Gaussian elimination step, now in presence 
of linear and non-linear equations. 

Negative literals as passive constraints The infer methods introduced 
above allowed only atoms in the constraint store of special states, that is to 
say an occurrence of non-atomic formulas in the constraint store leads to an 
immediate error. Let us extend the infer method to allow for negative literals in 
the constraint store of special states. Now we can easily modify the definitions 
from " Atoms as passive constraints" : we regard states with finite sets of literals 
as special states and regard the literals that would evaluate to error as passive. 
Then the definition of the step is obtained by having a literal L instead of an 
atom A. Now, in the case of the formula from item (pi) of Example we have 




(0 ; e)Kx = 1) A x = 0] = {error}. 



step(C p ,<D ; 0) := {(C p ; 0)} 




(C p ,Ca ; 9) s9 = tO rewrites to = 0, 

s9 — t6 rewrites to r = 0, 

where r is a non-zero real. 
(C p ,C a ; 0{x/u}) sO — tO rewrites to x = u, 



(0 ; e)Hx = 1) A x = 0] = (-.(a; = 1) ; e)[x = 0] 
step(^(x = 1) ; {x/0}) = {(0 ; {x/0})}. 
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Equality and disequality constraints We continue the previous example for 
the case of an arbitrary language of terms together with equality and disequality 
constraints.^ We adapt the definition by having as active constraints all equa- 
tions as well as those disequations that are ground or of the form t9 ^ t9. The 
split of (C; 9) now produces (C p , C ; 9) with C p — s% ^ ti, . . . , s n ^ t n , a list of 
all the disequations Sj =/= t, L G C for which (s, ; =/= ti)9 is not ground and not of the 
form t t. The definition of the step then is: 

step(C p ;9) = {(C p ;9}} if no active constraints occur 

step(C p ,C a , s — t;9) = {{C p ,C a \ 6rj)} if r\ is an mgu of s9, t9 
step(C p ,C a , s = t;6) = if s9, t9 cannot be unified 

step{C p ,C a ,s ^t\6) = {(C p ,C a ;9)} if sd^tO is true 
step{C p ,C a , s^t\6)= if s6» ^ tO is false 

Then we get, for example 

(0; E ) lf( x ) f(y) A ^(a;, b) = g(a, y)] = 
step(f(x) ± f(y) ; {x/a,y/b}) = {(0 ; {x/a,y/b})}. 

In general, if no error occurs, we can expect (0, e)[</>] to contain special states 
from which all active constraints are removed, i.e., states of the form (C; 9) where 
C is a list of inequations s ^ t such that s9 ^ tO is passive. It follows from the 
independence of inequations of || that over an infinite Herbrand Universe such 
a constraint store is consistent, i.e., has a grounding solution 77. For such an r\ 
we can then conclude: \= Si9 ^ ti9 (for each 1 < i < n) and |= 4>9rj. 
The grounding solution 7/ can not be built up during the computation of [</>]. 
This is clear from the example x ^ y A x — c. If we make the choice {x/d, x/c} 
as a grounding solution for x ^ y too soon, we are no longer able to deal with 
x — c later on. Hence we can benefit from the independence of inequations only 
after the computation of [a; =/= y A x = c] has been completed. 

Existential formulas as passive constraints At this point only literals are 
allowed in the constraint store. We can easily extend the current store man- 
agement to one in which also existential formulas are allowed in the constraint 
store. To this end we need some quantifier elimination procedure elim that is 
able to deal with at least some form of existential quantification. Then we can 
have step := elim. 

Arbitrary formulas as passive constraints The previous constraint store 
management can be extended by allowing arbitrary formulas in the constraint 
store. This makes sense as soon as we have some decision procedure solve that 
is able to deal with at least some type of negative formulas. Then we can have 
step := solve. 

5 We ignore the notational distinction between the disequation s ^ t and the negation 
-i(s = t) for the moment. 
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6 Rationale and Related Work 



As clarified in Section |I] the soundness result established here generalizes the 
appropriate result provided in [Q. The drawback of this semantics was that 
it yielded error as answer for several clearly satisfiable formulas, like the ones 
considered in the introduction. 

Our interest in a semantics that models constraint management in a sound way 
stems from our attempts to add constraints to the programming language Alma-0 
of Apt et al. Alma-0 extends imperative programming by features that sup- 
port declarative programming. This language allows us to interpret the formulas 
of first-order logic (without universal quantification) as executable programs. In 
Apt and Schaerf (lj we proposed to extend Alma-0 by constraints but found that 
this led to situations in which the customary interpretation of the conditionals 
by means of the implication is unsound. 

Using the above considerations we can provide a simple sound interpretation 
of the IF B THEN S ELSE T END statement. Namely, it is sufficient to interpret 
it in logic as {B A S) V (->B A T), written in the Alma-0 syntax as EITHER B; 
S ORELSE (NOT B) ; T END. This interpretation requires that negative literals, 
here NOT B, are used as passive constraints. On the implementation level back- 
tracking is then needed but the above interpretation can be reduced to the 
customary implementation of IF B THEN S ELSE T END if the condition B eval- 
uates to true or false irrespectively of the constraint store. 
As already mentioned in the introduction the modelling of the constraint store 
maintenance by means of an abstract infer mechanism is due to Jaffar and Ma- 
her Q . In their framework the computation mechanism of constraint logic pro- 
gramming is modeled, so local variables (modeled by existential variables) and 
negation are absent but recursion is considered. Additionally, only conjunctions 
of atomic formulas are allowed as constraints. 

In [jl0| several semantics for constraint logic programming are compared. In this 
paper a mapping solv is used that allows for inconsistency checks during the 
computation, solv can vary with the intended application, just like our infer 
parameter, but, unlike infer, it cannot model arbitrary constraint propagation 
steps. In fact, in |H the constraint propagation steps take place only at the end 
of each the computation. 

An alternative approach to model the essentials of constraint programming is 
provided by the concurrent constraint programming (ccp) approach pioneered 
by Saraswat and Saraswat, Rinard and Panangaden jl3|. In this scheme 
the programs can also be considered as formulas with the difference that the 
atomic tell and ask operations are present and that the parallel composition 
connective is present. The idea captured by this model is that the processes 
interact by means of a constraint system using the tell and ask operations. The 
constraint system is a set of constraints equipped with the entailment operation. 
The ccp programs can be written in a logical way by dropping the "tell" context 
around a constraint and by interpreting the ask(c) statement as the implication 
c — » . However, in spite of this logical view of ccp programs it is not clear how to 
interpret them as first-order formulas with the customary semantics. In Fages, 
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Ruct and Soliman [gj a logical semantics of ccp programs is given by interpret- 
ing them in intuitionistic linear logic. Both the denotational semantics for this 
language and the correctness (in the assertional style) of ccp programs were 
considered in a number of papers, see, e.g., de Boer et al. Q and de Boer et 
al. How to add to this framework in a sound way negation was studied in 
Palamidessi, de Boer and Pierro [ ]l2| . By the nature of this approach the study of 
the constraint store management captured here by means of the infer mechanism 
is absent in this framework. 
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Appendix: the proofs 

In this appendix we give proof details of the Soundness Theorem and Preser- 
vation/Persistence Lemma. Both proofs are by simultaneous inductions on the 
structure of the formula. We focus on the existential quantification cases, which 
are the most subtle. We use the notation \=j 4>[a] to indicate the assignment 
of values a to (at least) the free variables in <f>. In the case of the lemma it will 
be convenient to standardize this as follows: we are concerned with CO and faO 
(for i = 1,2) and denote the values for the free variables shared by the fcO by 
d. Then we use the values c for the remaining free variables in <f>\0 and e for the 
remaining free variables in faO. Finally, we denote the values of the remaining 
free variables in CO by b. So, we will mostly use blocks of the form \b,c, d,e]. 

Proof of Preservation/Persistence Lemma 1: 

o atoms: In the atomic case 4>2 = A for some atom A and (C"; 0") G infer(C, A] 0). 
Straightforward application of property (1) does the trick. 

disjunction: In this case <f>2 = (V'l v V^) and (C";0") G (C;^)^] for some 

1 = 1,2. In this situation the inductive hypotheses apply straightforwardly. 

o conjunction: In this case <p2 = (tpi A ^2) and (C";0") G (C';^')!^] for some 
{C';0') G (C; Now two applications of the inductive hypothesis are re- 

quired. For preservation of validity this is straightforward. For preservation of 
consistency it works as follows: by assumption \=j (CO, ((j)iA(^iAip2))0)\b, c, d, e]. 
So, \=j (CO, (4>i A ipi)Q)\b, cT, di,ei], restricting the d and e to the relevant vari- 
ables and moving some of the d values to cT- By induction hypothesis we get 
\=j (C'0',(<j>i fMji^O')^,^,^,^-^. Next the induction hypothesis (for <f>\ Aipi 
and V2) provides \= j (C"0", ((4>i A tpi) A ^2)0'')\b",7f,d/ 7 ,e"], as required, 
o negation: In this case <j>2 = We have to distinguish cases 

— (j) 2 is 'true': {C";0") G infer(C;0) (and cons + ((C;0)[V>]) = 0- ) Now property 
(1) gives the results. 

— (f>2 is 'false': in this case (C;#)[</>2] = and both (i) and (ii) are void. 

— 'otherwise': we get (C";0") G infer (C,^i]j;0) . The results follow from first 
order logic and property (1). 

o existential quantification: Now 2 = 3x ip for some x, -0. So, consider 
infer drop„(C';?7) for some consistent {C';r)) G (C; 0) \^{x/u}\ (u fresh). By 
property (1) it suffices to consider DROP u (C; 77} = {(C — C'(u,y)), 3u (u = 
ur l A y = yrj A C'(u, y)); DROP u (n)). We call DROP u , y (n) = 0". 

1. By assumption (C; 0) \=j By induction hypothesis {C';n) \=j <f>\. From 
this (u = urj A C')DROP u (r]) (u = urj A (f) 1 )DROPu(ri). So, (u — urj A 
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C')DROP u {ri) \=j faDROP u (rj). Repeating this for the y, we get (u = 
ur l A y = yq A C')0" \=j 4>\9" . By (2) we may assume that this holds for 
some u that does not occur in fa9" . Hence the implicit overall universal 
quantification over u can be replaced by an existential quantification over u 
on the left hand side of the sequent. This gives 

((C - C'(u, y)) A 3u (u = u V A y = y V A C'(u, y)))6" \=j faO". 
Now we can safely re-instantiate the values of the variables in y to obtain 
the same for DROP u (r)) = 9" U {y/y^} 

((C - C'(u, y)) A 3u (u = u V A y = yr, A C'(u, y)))DROP u (r,) \=j 

faDROP u (rf). 

2. The assumption gives \=j (CO, (fa A 3x ijj))0)[b, c, d, e]. From the induction 
hypothesis we obtain \=j (Crj, (fa A tjj{x/u})r})[b',d ,d' ,e', f] where / is 
the value of u. From this we conclude |= j (C'r), (fa A 3x -0)r/)[6', c', d', e', /]. 
So, we can be sure that suitable values for all the variables in C and (<f>i A 
3x ip) are available, if we use the values in the block [b', d , d', e', /] and the 
substitution rj as a middle man. But then we can also assign these values 
directly to the variable u, eliminating the middle man r\. This way we get 
values [F 7 ,? 7 ,^ 77 ,? 7 ] such that \=j (((C - C'(i^))_A_u =_wq Ay = y?y A 
C'(u,y))DROP u (r]), (<j> t A 3x ip)DROP u (r]))[b" ,c 77 ,d" ,e 77 ]. From this the 
consistency of drop„(C; rj) and (<j>\ A 3x ijj)DROP u (rj) is clear. □ 

Proof of Soundness Theorem 1: 

o atoms: In case tj> is an atomic formula A, (C; #)[</>] = infer (C,A;6). Now 
straightforward applications of property (1) and (3) give the result, 
o disjunction: In case is a disjunction, <f>\ V <p2 say, (C;#)[0] = (C;0)[0i] U 
{C]6)\(j}2\- The induction hypotheses apply immediately. 

o conjunction: In case <f> is a conjunction, <fri A fa say, {C";8") S (C;6*}[0] 
iff (C";0") S (C';0')lfaj for some {C';0') G (C;fl)[0i]. Part 1. of the theorem 
is a straightforward consequence of the induction hypothesis and persistence. 
For part 2 we add some details. We have: if {C';9') G (C;0)[0i] is consistent, 
then (C; 0') {fa} only contains inconsistent states. From this we may conclude 
by induction hypothesis that for each (C';0') G cons((C; 0) \faj) 

(C'-0')^j^fa. (3) 

Now assume that for somef] [b, c, d, e], |=j- (C6* A A 02^)[&, c, d, e] and that 
we have a (C';9') G cons((C; 9)lfaJ). Then persistence (2) tells us that the con- 
sistency is preserved, i.e., there are [b',d,d',d] such that \=j (C'6 1 A fa0' A 
faO')[b',d,d',e']. But this contradicts the statement ([|). So, for no \b,c,d,e], 
\=j (CO A fa9 A fa6){b,c,d,e], which is as required. 

o negation: In case of a negation -<fa there are three situations to consider 

- (C';0') G infer(C;9) and cons + ((C;9)\(j>\) = 0. Now case (1) of the theorem 
follows from the induction hypothesis for case (2) and equivalence condition 
(1). Case (2) follows from conditions (1) and (3). 

6 Notation for assignment of values as in the lemma. 
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— (C; 9) [-10] = and there is some (C; 9') E cons((C; 9) [</>]), which is equivalent 
to (C;9). Now case (1) is satisfied trivially and case (2) follows from the 
induction hypothesis for (1) and condition (1) on infer. 

- (C;0)l-«g = infer(C, -></>; 6). Let (C';9') e infer{C,-><j>;9) be given. Now case 
(1) follows from condition (1) and case two relies on conditions (1) and (3). 

o existential quantification: In case of an existential quantification 3x <fi, we 
have to consider {C";9") G infer DROP„(C; T)), for (C';j?) e cons{{C]9)l4>{x/u}\) 
(some fresh u). Call DROP Uvy (rj) = 9' . Below we use a crucial fact about first 
order logic: if x is not free in x, then |= Va; (tp — > x) ((3a; ip) — ► x)- 

1. By induction hypothesis (C';i]) \=j 4>{x/u}. By first order logic 

(C — C'(u,y))r] \=j (C'(u,y) — ► From this we conclude that 

(C - C'(u,y))rj \=j {C'(u,y) -> 3x <p)r}. (C - C'{u,y)) does not contain u 
or y, so: (C - C'(u, y))9' ^= j (C'(u, y) Au = ur] Ay = yr] -> 3a; 0)6*'. As u 
does not occur in (3x 0)0', we can apply the crucial fact to get 
(C'-C'(u,y))0 / A 3u (C'(u,y) A u — wq A y = yr/)0' (3a; <t>)9' . 

Now we can make 9' more specific by re-instantiating the values yr\ for the 
variables in y. This suffices (by (1)). 

2. In this case there is no fresh u which produces a (C; 77} E cons((C; 9) \<p{x/u)\). 
The induction hypothesis then gives (C;6) \=j (-^{x/it}) (for all fresh u), 
from which (C; 0) |=j- (3x 0) (as w is fresh w.r.t. 9). □ 
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